<html xmlns:v="urn:schemas-microsoft-com:vml"
      xmlns:o="urn:schemas-microsoft-com:office:office"
      xmlns="http://www.w3.org/TR/REC-html40">

<head>
    <meta http-equiv=Content-Type content="text/html; charset=windows-1252">
    <meta name=ProgId content=Word.Document>
    <meta name=Generator content="Microsoft Word 12">
    <meta name=Originator content="Microsoft Word 12">
    <title>Solution: XPATH Injection</title>
    <link rel=File-List href="XXE_files/filelist.xml">
    <link rel=Edit-Time-Data href="XXE_files/editdata.mso">
    <!--[if !mso]>
    <style>
        v\: * {
            behavior: url(#default#VML);
        }

        o\: * {
            behavior: url(#default#VML);
        }

        w\: * {
            behavior: url(#default#VML);
        }

        .shape {
            behavior: url(#default#VML);
        }
    </style>
    <![endif]--><!--[if gte mso 9]>
    <xml>
        <o:DocumentProperties>
            <o:Author>egeirnaert</o:Author>
            <o:LastAuthor>egeirnaert</o:LastAuthor>
            <o:Revision>3</o:Revision>
            <o:TotalTime>1200</o:TotalTime>
            <o:Created>2007-07-12T14:28:00Z</o:Created>
            <o:LastSaved>2007-07-12T15:19:00Z</o:LastSaved>
            <o:Pages>1</o:Pages>
            <o:Words>258</o:Words>
            <o:Characters>1473</o:Characters>
            <o:Company></o:Company>
            <o:Lines>12</o:Lines>
            <o:Paragraphs>3</o:Paragraphs>
            <o:CharactersWithSpaces>1728</o:CharactersWithSpaces>
            <o:Version>12.00</o:Version>
        </o:DocumentProperties>
    </xml><![endif]-->
    <link rel=themeData href="XXE/themedata.thmx">
    <link rel=colorSchemeMapping href="XXE_files/colorschememapping.xml">
    <!--[if gte mso 9]>
    <xml>
        <w:WordDocument>
            <w:Zoom>90</w:Zoom>
            <w:TrackMoves>false</w:TrackMoves>
            <w:TrackFormatting/>
            <w:PunctuationKerning/>
            <w:ValidateAgainstSchemas/>
            <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
            <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
            <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
            <w:DoNotPromoteQF/>
            <w:LidThemeOther>EN-US</w:LidThemeOther>
            <w:LidThemeAsian>X-NONE</w:LidThemeAsian>
            <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
            <w:Compatibility>
                <w:BreakWrappedTables/>
                <w:SnapToGridInCell/>
                <w:WrapTextWithPunct/>
                <w:UseAsianBreakRules/>
                <w:DontGrowAutofit/>
                <w:SplitPgBreakAndParaMark/>
                <w:DontVertAlignCellWithSp/>
                <w:DontBreakConstrainedForcedTables/>
                <w:DontVertAlignInTxbx/>
                <w:Word11KerningPairs/>
                <w:CachedColBalance/>
            </w:Compatibility>
            <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
            <m:mathPr>
                <m:mathFont m:val="Cambria Math"/>
                <m:brkBin m:val="before"/>
                <m:brkBinSub m:val="--"/>
                <m:smallFrac m:val="off"/>
                <m:dispDef/>
                <m:lMargin m:val="0"/>
                <m:rMargin m:val="0"/>
                <m:defJc m:val="centerGroup"/>
                <m:wrapIndent m:val="1440"/>
                <m:intLim m:val="subSup"/>
                <m:naryLim m:val="undOvr"/>
            </m:mathPr>
        </w:WordDocument>
    </xml><![endif]--><!--[if gte mso 9]>
    <xml>
        <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
                        DefSemiHidden="true" DefQFormat="false" DefPriority="99"
                        LatentStyleCount="267">
            <w:LsdException Locked="false" Priority="0" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
            <w:LsdException Locked="false" Priority="0" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
            <w:LsdException Locked="false" Priority="0" QFormat="true" Name="heading 3"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
            <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 1"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 2"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 3"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 4"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 5"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 6"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 7"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 8"/>
            <w:LsdException Locked="false" Priority="39" Name="toc 9"/>
            <w:LsdException Locked="false" Priority="0" QFormat="true" Name="caption"/>
            <w:LsdException Locked="false" Priority="10" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Title"/>
            <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
            <w:LsdException Locked="false" Priority="11" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
            <w:LsdException Locked="false" Priority="0" Name="Hyperlink"/>
            <w:LsdException Locked="false" Priority="22" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
            <w:LsdException Locked="false" Priority="20" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
            <w:LsdException Locked="false" Priority="0" Name="Normal (Web)"/>
            <w:LsdException Locked="false" Priority="59" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Table Grid"/>
            <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
            <w:LsdException Locked="false" Priority="1" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List Accent 1"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
            <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
            <w:LsdException Locked="false" Priority="34" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
            <w:LsdException Locked="false" Priority="29" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
            <w:LsdException Locked="false" Priority="30" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List Accent 1"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List Accent 2"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List Accent 2"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List Accent 3"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List Accent 3"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List Accent 4"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List Accent 4"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List Accent 5"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List Accent 5"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
            <w:LsdException Locked="false" Priority="60" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
            <w:LsdException Locked="false" Priority="61" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light List Accent 6"/>
            <w:LsdException Locked="false" Priority="62" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
            <w:LsdException Locked="false" Priority="63" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
            <w:LsdException Locked="false" Priority="64" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
            <w:LsdException Locked="false" Priority="65" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
            <w:LsdException Locked="false" Priority="66" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
            <w:LsdException Locked="false" Priority="67" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
            <w:LsdException Locked="false" Priority="68" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
            <w:LsdException Locked="false" Priority="69" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
            <w:LsdException Locked="false" Priority="70" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Dark List Accent 6"/>
            <w:LsdException Locked="false" Priority="71" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
            <w:LsdException Locked="false" Priority="72" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
            <w:LsdException Locked="false" Priority="73" SemiHidden="false"
                            UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
            <w:LsdException Locked="false" Priority="19" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
            <w:LsdException Locked="false" Priority="21" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
            <w:LsdException Locked="false" Priority="31" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
            <w:LsdException Locked="false" Priority="32" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
            <w:LsdException Locked="false" Priority="33" SemiHidden="false"
                            UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
            <w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
            <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
        </w:LatentStyles>
    </xml><![endif]-->
    <style>
        <!--
        /* Font Definitions */
        @font-face {
            font-family: "MS Mincho";
            panose-1: 2 2 6 9 4 2 5 8 3 4;
            mso-font-alt: "\FF2D\FF33 \660E\671D";
            mso-font-charset: 128;
            mso-generic-font-family: modern;
            mso-font-pitch: fixed;
            mso-font-signature: -1610612033 1757936891 16 0 131231 0;
        }

        @font-face {
            font-family: "Cambria Math";
            panose-1: 2 4 5 3 5 4 6 3 2 4;
            mso-font-charset: 0;
            mso-generic-font-family: roman;
            mso-font-pitch: variable;
            mso-font-signature: -1610611985 1107304683 0 0 159 0;
        }

        @font-face {
            font-family: Tahoma;
            panose-1: 2 11 6 4 3 5 4 4 2 4;
            mso-font-charset: 0;
            mso-generic-font-family: swiss;
            mso-font-pitch: variable;
            mso-font-signature: 1627400839 -2147483648 8 0 66047 0;
        }

        @font-face {
            font-family: "\@MS Mincho";
            panose-1: 2 2 6 9 4 2 5 8 3 4;
            mso-font-charset: 128;
            mso-generic-font-family: modern;
            mso-font-pitch: fixed;
            mso-font-signature: -1610612033 1757936891 16 0 131231 0;
        }

        /* Style Definitions */
        p.MsoNormal, li.MsoNormal, div.MsoNormal {
            mso-style-unhide: no;
            mso-style-qformat: yes;
            mso-style-parent: "";
            margin: 0cm;
            margin-bottom: .0001pt;
            mso-pagination: widow-orphan;
            font-size: 12.0pt;
            font-family: "Times New Roman", "serif";
            mso-fareast-font-family: "Times New Roman";
        }

        h1 {
            mso-style-unhide: no;
            mso-style-qformat: yes;
            mso-style-link: "Heading 1 Char";
            mso-style-next: Normal;
            margin-top: 12.0pt;
            margin-right: 0cm;
            margin-bottom: 3.0pt;
            margin-left: 0cm;
            mso-pagination: widow-orphan;
            page-break-after: avoid;
            mso-outline-level: 1;
            font-size: 16.0pt;
            font-family: "Arial", "sans-serif";
            mso-fareast-font-family: "MS Mincho";
            mso-font-kerning: 16.0pt;
            mso-fareast-language: JA;
            font-weight: bold;
        }

        h2 {
            mso-style-noshow: yes;
            mso-style-priority: 9;
            mso-style-qformat: yes;
            mso-style-link: "Heading 2 Char";
            mso-style-next: Normal;
            margin-top: 10.0pt;
            margin-right: 0cm;
            margin-bottom: 0cm;
            margin-left: 0cm;
            margin-bottom: .0001pt;
            mso-pagination: widow-orphan lines-together;
            page-break-after: avoid;
            mso-outline-level: 2;
            font-size: 13.0pt;
            font-family: "Cambria", "serif";
            mso-ascii-font-family: Cambria;
            mso-ascii-theme-font: major-latin;
            mso-fareast-font-family: "Times New Roman";
            mso-fareast-theme-font: major-fareast;
            mso-hansi-font-family: Cambria;
            mso-hansi-theme-font: major-latin;
            mso-bidi-font-family: "Times New Roman";
            mso-bidi-theme-font: major-bidi;
            color: #4F81BD;
            mso-themecolor: accent1;
            font-weight: bold;
        }

        h3 {
            mso-style-noshow: yes;
            mso-style-qformat: yes;
            mso-style-link: "Heading 3 Char";
            mso-style-next: Normal;
            margin-top: 12.0pt;
            margin-right: 0cm;
            margin-bottom: 3.0pt;
            margin-left: 0cm;
            mso-pagination: widow-orphan;
            page-break-after: avoid;
            mso-outline-level: 3;
            font-size: 13.0pt;
            font-family: "Arial", "sans-serif";
            mso-fareast-font-family: "Times New Roman";
            font-weight: bold;
        }

        p.MsoCaption, li.MsoCaption, div.MsoCaption {
            mso-style-noshow: yes;
            mso-style-qformat: yes;
            mso-style-next: Normal;
            margin: 0cm;
            margin-bottom: .0001pt;
            mso-pagination: widow-orphan;
            font-size: 10.0pt;
            font-family: "Times New Roman", "serif";
            mso-fareast-font-family: "Times New Roman";
            font-weight: bold;
        }

        p.MsoEnvelopeReturn, li.MsoEnvelopeReturn, div.MsoEnvelopeReturn {
            mso-style-noshow: yes;
            mso-style-priority: 99;
            margin: 0cm;
            margin-bottom: .0001pt;
            mso-pagination: widow-orphan;
            font-size: 12.0pt;
            font-family: "Times New Roman", "serif";
            mso-fareast-font-family: "Times New Roman";
            mso-fareast-theme-font: major-fareast;
        }

        a:link, span.MsoHyperlink {
            mso-style-noshow: yes;
            color: blue;
            text-decoration: underline;
            text-underline: single;
        }

        a:visited, span.MsoHyperlinkFollowed {
            mso-style-noshow: yes;
            mso-style-priority: 99;
            color: purple;
            mso-themecolor: followedhyperlink;
            text-decoration: underline;
            text-underline: single;
        }

        p {
            mso-style-noshow: yes;
            mso-margin-top-alt: auto;
            margin-right: 0cm;
            mso-margin-bottom-alt: auto;
            margin-left: 0cm;
            mso-pagination: widow-orphan;
            font-size: 12.0pt;
            font-family: "Times New Roman", "serif";
            mso-fareast-font-family: "Times New Roman";
        }

        pre {
            mso-style-noshow: yes;
            mso-style-priority: 99;
            mso-style-link: "HTML Preformatted Char";
            margin: 0cm;
            margin-bottom: .0001pt;
            mso-pagination: widow-orphan;
            tab-stops: 45.8pt 91.6pt 137.4pt 183.2pt 229.0pt 274.8pt 320.6pt 366.4pt 412.2pt 458.0pt 503.8pt 549.6pt 595.4pt 641.2pt 687.0pt 732.8pt;
            font-size: 10.0pt;
            font-family: "Courier New";
            mso-fareast-font-family: "Times New Roman";
        }

        p.MsoAcetate, li.MsoAcetate, div.MsoAcetate {
            mso-style-noshow: yes;
            mso-style-priority: 99;
            mso-style-link: "Balloon Text Char";
            margin: 0cm;
            margin-bottom: .0001pt;
            mso-pagination: widow-orphan;
            font-size: 8.0pt;
            font-family: "Tahoma", "sans-serif";
            mso-fareast-font-family: "Times New Roman";
        }

        span.Heading1Char {
            mso-style-name: "Heading 1 Char";
            mso-style-unhide: no;
            mso-style-locked: yes;
            mso-style-link: "Heading 1";
            mso-ansi-font-size: 16.0pt;
            mso-bidi-font-size: 16.0pt;
            font-family: "MS Mincho";
            mso-ascii-font-family: "MS Mincho";
            mso-fareast-font-family: "MS Mincho";
            mso-hansi-font-family: "MS Mincho";
            mso-bidi-font-family: Arial;
            mso-font-kerning: 16.0pt;
            mso-fareast-language: JA;
            font-weight: bold;
        }

        span.Heading2Char {
            mso-style-name: "Heading 2 Char";
            mso-style-noshow: yes;
            mso-style-priority: 9;
            mso-style-unhide: no;
            mso-style-locked: yes;
            mso-style-link: "Heading 2";
            mso-ansi-font-size: 13.0pt;
            mso-bidi-font-size: 13.0pt;
            font-family: "Cambria", "serif";
            mso-ascii-font-family: Cambria;
            mso-ascii-theme-font: major-latin;
            mso-fareast-font-family: "Times New Roman";
            mso-fareast-theme-font: major-fareast;
            mso-hansi-font-family: Cambria;
            mso-hansi-theme-font: major-latin;
            color: #4F81BD;
            mso-themecolor: accent1;
            font-weight: bold;
        }

        span.Heading3Char {
            mso-style-name: "Heading 3 Char";
            mso-style-noshow: yes;
            mso-style-unhide: no;
            mso-style-locked: yes;
            mso-style-link: "Heading 3";
            mso-ansi-font-size: 13.0pt;
            mso-bidi-font-size: 13.0pt;
            font-family: "Times New Roman", "serif";
            mso-ascii-font-family: "Times New Roman";
            mso-fareast-font-family: "Times New Roman";
            mso-hansi-font-family: "Times New Roman";
            mso-bidi-font-family: Arial;
            font-weight: bold;
        }

        span.HTMLPreformattedChar {
            mso-style-name: "HTML Preformatted Char";
            mso-style-noshow: yes;
            mso-style-priority: 99;
            mso-style-unhide: no;
            mso-style-locked: yes;
            mso-style-link: "HTML Preformatted";
            font-family: "Courier New";
            mso-ascii-font-family: "Courier New";
            mso-fareast-font-family: "Times New Roman";
            mso-hansi-font-family: "Courier New";
            mso-bidi-font-family: "Courier New";
        }

        span.BalloonTextChar {
            mso-style-name: "Balloon Text Char";
            mso-style-noshow: yes;
            mso-style-priority: 99;
            mso-style-unhide: no;
            mso-style-locked: yes;
            mso-style-link: "Balloon Text";
            mso-ansi-font-size: 8.0pt;
            mso-bidi-font-size: 8.0pt;
            font-family: "Tahoma", "sans-serif";
            mso-ascii-font-family: Tahoma;
            mso-fareast-font-family: "Times New Roman";
            mso-hansi-font-family: Tahoma;
            mso-bidi-font-family: Tahoma;
        }

        .MsoChpDefault {
            mso-style-type: export-only;
            mso-default-props: yes;
            font-size: 10.0pt;
            mso-ansi-font-size: 10.0pt;
            mso-bidi-font-size: 10.0pt;
            mso-ascii-font-family: Arial;
            mso-fareast-font-family: Calibri;
            mso-fareast-theme-font: minor-latin;
            mso-hansi-font-family: Arial;
            mso-bidi-font-family: "Times New Roman";
            mso-bidi-theme-font: major-bidi;
        }

        @page Section1 {
            size: 595.3pt 841.9pt;
            margin: 70.55pt 56.9pt 70.55pt 56.9pt;
            mso-header-margin: 35.3pt;
            mso-footer-margin: 35.3pt;
            mso-title-page: yes;
            mso-paper-source: 0;
        }

        div.Section1 {
            page: Section1;
        }

        -->
    </style>
    <!--[if gte mso 10]>
    <style>
        /* Style Definitions */
        table.MsoNormalTable {
            mso-style-name: "Table Normal";
            mso-tstyle-rowband-size: 0;
            mso-tstyle-colband-size: 0;
            mso-style-noshow: yes;
            mso-style-priority: 99;
            mso-style-qformat: yes;
            mso-style-parent: "";
            mso-padding-alt: 0cm 5.4pt 0cm 5.4pt;
            mso-para-margin: 0cm;
            mso-para-margin-bottom: .0001pt;
            mso-pagination: widow-orphan;
            font-size: 10.0pt;
            font-family: "Arial", "sans-serif";
            mso-bidi-font-family: "Times New Roman";
            mso-bidi-theme-font: major-bidi;
        }
    </style>
    <![endif]--><!--[if gte mso 9]>
    <xml>
        <o:shapedefaults v:ext="edit" spidmax="4098"/>
    </xml><![endif]--><!--[if gte mso 9]>
    <xml>
        <o:shapelayout v:ext="edit">
            <o:idmap v:ext="edit" data="1"/>
        </o:shapelayout>
    </xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:36.0pt'>

<div class=Section1>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Lesson
Plan Title:</span></b><span style='font-family:"Arial","sans-serif"'> How to
Perform XXE Injection Attacks. <o:p></o:p></span></p>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>Concept /
Topic To Teach:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>

    <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>This lesson
teaches how to perform XXE Injection attacks. <o:p></o:p></span></p>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>How the
attacks works:</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>

    <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'>An XML External Entity attack is a type of attack against an
    application that parses XML input. This attack occurs when XML input containing a reference to
    an external entity is processed by a weakly configured XML parser. This attack may lead to the
    disclosure of confidential data, denial of service, server side request forgery, port scanning
    from the perspective of the machine where the parser is located, and other system impacts.

    Attacks can include disclosing local files, which may contain sensitive data such as passwords
    or private user data, using file: schemes or relative paths in the system identifier. Since the
    attack occurs relative to the application processing the XML document, an attacker may use this
    trusted application to pivot to other internal systems, possibly disclosing other internal content
    via http(s) requests or launching a CSRF attack to any unprotected internal services. In some
    situations, an XML processor library that is vulnerable to client-side memory corruption issues
    may be exploited by dereferencing a malicious URI, possibly allowing arbitrary code execution
    under the application account. Other attacks can access local resources that may not stop returning
    data, possibly impacting application availability if too many threads or processes are not released.

    <o:p></o:p></span></p>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></b></p>

    <p class=MsoNormal><b><span style='font-family:"Arial","sans-serif"'>General
Goal(s):</span></b><span style='font-family:"Arial","sans-serif"'> <o:p></o:p></span></p>

    <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><!-- Start Instructions -->
You are searching for a ticket from Boston, MA- Airport code BOS for a well deserved holiday. Try to search for
a ticket. Try to find a flaw in the search form and list the root directory of your operation system.
</span><span style='font-family:"Arial","sans-serif";
mso-fareast-language:JA'><o:p></o:p></span></p>

    <p class=MsoNormal><span style='font-family:"Arial","sans-serif"'><o:p>&nbsp;</o:p></span></p>

    <p class=MsoNormal>
        <o:p>&nbsp;</o:p>
    </p>

    <p class=MsoNormal><span style='font-family:"Arial","sans-serif";mso-bidi-font-weight:
bold'>First we need to try whether the page reflects the output of the XXE.
        Because we can define a new entity within our search form we can start using the following XML:
        <br><br>

<i>
    <pre>
&lt;?xml version="1.0"?&gt;
&lt;!DOCTYPE replace [&lt;!ENTITY example "Test"&gt;]>
&lt;searchForm&gt;
  &lt;from&gt;&example;&lt;/from&gt;
&lt;/searchForm&gt;
</pre>
</i><br>
<br>
</span></p>

    <p>
        Using ZAP we can intercept the request and replace the xml with our own crafted xml submitting the
        request will show 'Test' in the term we searched for. To solve the lesson we will need
        to craft a message which will list the root of the drive, using the following search form will solve
        the lesson:

<pre>
&lt;?xml version="1.0"?&gt;
&lt;!DOCTYPE replace [&lt;!ENTITY name SYSTEM "file:/"&gt;]>
&lt;searchForm&gt;
  &lt;from&gt;BOS&name;&lt;/from&gt;
&lt;/searchForm&gt;
</pre>
    </p>

</div>
<table align='RIGHT' cellspacing='0' width='90%' border='0' cellpadding='0'>
    <tr>
        <td valign='MIDDLE' width='100%' align='RIGHT class=MsoNormal' style='font-family:"Arial","sans-serif"'>
            Solution by Nanne Baars
        </td>
    </tr>
</table>

</body>

</html>
